National Institute of Standards and Technology
Overview Founded in 1901, the National Institute of Standards and Technology (NIST) is a non-regulatory, federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Responsiblities NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and in managing cost-effective programs to protect their information and information systems. * Federal Information Processing Standards (FIPS) are developed by NIST in accordance with FISMA. FIPS are approved by the Secretary of Commerce and are compulsory and binding for federal agencies. Since FISMA requires that federal agencies comply with these standards, agencies may not waive their use. * Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800-series. Office of Management and Budget (OMB) policies (including OMB FISMA Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management) state that for other than national security programs and systems, agencies must follow NIST guidance.While agencies are required to follow NIST guidance in accordance with OMB policy, there is flexibility within NIST’s guidance in how agencies apply the guidance. Unless otherwise specified by OMB, the 800-series guidance documents published by NIST generally allow agencies some latitude in their application. Consequently, the application of NIST guidance by agencies can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB definition of adequate security for federal information systems. When assessing agency compliance with NIST guidance, auditors, evaluators, and/or assessors should consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions. * Other security-related publications, including NIST interagency and internal reports (NISTIRs) and ITL Bulletins, provide technical and other information about NIST's activities. These publications are mandatory only when so specified by OMB. Schedule for compliance with NIST standards and guidelines * For legacy information systems, agencies are expected to be in compliance with NIST security standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST.The one-year compliance date for revisions to NIST Special Publications applies only to the new and/or updated material in the publications resulting from the periodic revision process. Agencies are expected to be in compliance with previous versions of NIST Special Publications within one year of the publication date of the previous versions. * For information systems under development, agencies are expected to be in compliance with NIST security standards and guidelines immediately upon deployment of the system. Programs NIST carries out its mission in four cooperative programs: * the NIST Laboratories, which conducts research to advance the nation's technology infrastructure and assist U.S. industry to continually improve products and services; * the Baldrige National Quality Program, which promotes performance excellence among U.S. manufacturers, service companies, educational institutions, and health care providers; conducts outreach programs and manages the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement; * the Hollings Manufacturing Extension Partnership, a nationwide network of local centers offering technical and business assistance to smaller manufacturers; and * the Technology Innovation Program, which provides cost-shared awards to industry, universities and consortia for research on potentially revolutionary technologies that address critical national and societal needs. * Between 1990 and 2007, NIST also managed the Advanced Technology Program. The agency operates in two locations: Gaithersburg, Md. (headquarters: 578-acre campus) and Boulder, Colo. (208-acre campus). Cybersecurity General NIST: * Chairs (since as early as 2002) and participates in multiple U.S. technical advisory groups to JTC-1 that have developed or are developing standards related to security evaluation techniques, identity management, identification card and smart card interoperability, cloud computing, biometrics, and cryptography. * Participates in ITU-T study group efforts via the joint standards development project with ISO-IEC JTC-1. * Serves as editor and area director while contributing to IETF standards efforts, including multiple efforts related to Internet Protocol version 6. * Serves as editor and otherwise contributes to IEEE 802. Provides guidance to organizations for implementing wireless networks standards. FISMA To help implement the provisions of FISMA for non-national security systems, NIST has developed a risk management framework for agencies to follow in developing information security programs. The framework is specified in NIST Special Publication (SP) 800-37, revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,NIST, Guide for Applying the Risk Management Framework to Federal Information Systems, SP 800-37, revision 1 (Gaithersburg, Md.: February 2010). which provides agencies with guidance for applying the risk management framework to federal information systems.NIST, Guide for Applying the Risk Management Framework to Federal Information Systems, SP 800-37, revision 1, was formerly NIST, Guide for the Certification and Accreditation of Federal Information Systems, SP 800-37. The risk management framework replaces the process known as certification and accreditation described in the previous version of SP 800-37. The framework in SP 800-37 consists of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. It also provides a process that integrates information security and risk management activities into the system development life cycle. Figure 1 provides an illustration of the framework and notes relevant security guidance for each part of the framework. References Category:Government agency Category:Technology